oleksandr/homelab
1
0
Fork 0
Code Pull Requests Activity

feat(k8s/cryptpad): add cryptpad stack

Browse Source
This commit is contained in:
Oleksandr Berezovskyi
2026-03-13 14:32:32 +02:00
parent 3af951d6ff
commit a7bb66a183
16 changed files with 738 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
kubernetes/app/cryptpad/TODO.md Normal file
View File

@@ -0,0 +1,78 @@
# CryptPad Deployment TODO
## 1. Generate OIDC secret and update both configs
```bash
# Generate a random secret
openssl rand -base64 32
# Hash it for Authelia
docker run --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --variant sha512 --password 'YOUR_SECRET'
```
- [+] Decrypt Authelia configmap: `cd kubernetes && sops -d -i infrastructure/controllers/authelia/configmap.sops.yaml`
- [+] Replace `REPLACE_WITH_PBKDF2_HASH` with the generated hash
- [+] Re-encrypt: `sops -e -i infrastructure/controllers/authelia/configmap.sops.yaml`
- [+] Decrypt CryptPad secret: `sops -d -i app/cryptpad/secret.sops.yaml`
- [+] Replace `REPLACE_WITH_CRYPTPAD_OIDC_SECRET` with the plaintext secret
- [+] Re-encrypt: `sops -e -i app/cryptpad/secret.sops.yaml`
## 2. Fill in and encrypt backup secret
```bash
cd kubernetes && sops -d -i app/cryptpad/secret-backup.sops.yaml
```
- [+] Replace `REPLACE_REST_PASSWORD` with the password for the `cryptpad` htpasswd user on rest-server
- [+] Replace `REPLACE_WITH_STRONG_PASSWORD` x2 with restic repo passwords for NAS and B2
- [+] Replace `REPLACE_WITH_B2_KEY_ID` with Backblaze B2 application key ID
- [+] Replace `REPLACE_WITH_B2_APPLICATION_KEY` with Backblaze B2 application key
- [+] Re-encrypt: `sops -e -i app/cryptpad/secret-backup.sops.yaml`
## 3. Create NFS directories on Synology
SSH into Synology and run:
```bash
mkdir -p /volume3/k8s-storage/cryptpad-data
mkdir -p /volume3/k8s-storage/cryptpad-config
```
- [+] Directories created
## 4. Set up restic repos and htpasswd user
```bash
# Generate htpasswd entry and append to /volume1/docker/rest-server/config/htpasswd on Synology
docker run --rm httpd:2-alpine htpasswd -nbB cryptpad 'YOUR_REST_PASSWORD'
# Init Synology repos
restic -r "rest:http://cryptpad:PASSWORD@synology.storage.lviv:8888/cryptpad-data/" init
restic -r "rest:http://cryptpad:PASSWORD@synology.storage.lviv:8888/cryptpad-config/" init
# Init B2 repos
B2_ACCOUNT_ID=... B2_ACCOUNT_KEY=... restic -r "b2:berezovskyi-backup-homelab-cryptpad:/data/" init
B2_ACCOUNT_ID=... B2_ACCOUNT_KEY=... restic -r "b2:berezovskyi-backup-homelab-cryptpad:/config/" init
```
- [+] cryptpad htpasswd user added to rest-server
- [+] Synology repos initialised
- [+] B2 repos initialised
## 5. Commit, push and verify deployment
- [ ] Commit and push all changes
- [ ] Pod comes up healthy (first start is slow: OnlyOffice download + SSO plugin clone):
```bash
kubectl get pods -n cryptpad -w
kubectl logs -n cryptpad -l app=cryptpad --tail=50 -f
```
- [ ] Both domains resolve with valid TLS:
- https://cryptpad.berezovskyi.dev
- https://sandbox.cryptpad.berezovskyi.dev
- [ ] OIDC login works: "Register with Authelia" button appears and completes successfully
- [ ] Run a backup job manually to verify repos:
```bash
kubectl create job -n cryptpad --from=cronjob/cryptpad-data-backup test-backup-data
kubectl logs -n cryptpad -l job-name=test-backup-data -f
```

63
kubernetes/app/cryptpad/configmap.yaml Normal file
View File

@@ -0,0 +1,63 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: cryptpad-config
namespace: cryptpad
data:
application_config.js: |
(() => {
const factory = (AppConfig) => {
AppConfig.registeredOnlyTypes = AppConfig.availablePadTypes;
AppConfig.disableAnonymousPadCreation = true;
AppConfig.disableAnonymousStore = true;
return AppConfig;
};
if (typeof(module) !== 'undefined' && module.exports) {
module.exports = factory(
require('../www/common/application_config_internal.js')
);
} else if ((typeof(define) !== 'undefined' && define !== null) && (define.amd !== null)) {
define(['/common/application_config_internal.js'], factory);
}
})();
config.js: |
module.exports = {
httpUnsafeOrigin: 'https://${CRYPTPAD_HOST}',
httpSafeOrigin: 'https://${CRYPTPAD_SANDBOX_HOST}',
httpAddress: '0.0.0.0',
//httpPort: 3000,
//httpSafePort: 3001,
// websocketPort: 3003,
// maxWorkers: 4,
//otpSessionExpiration: 7*24, // hours
//enforceMFA: false,
//logIP: false,
adminKeys: [
],
//inactiveTime: 90, // days
//archiveRetentionTime: 15,
//accountRetentionTime: 365,
//disableIntegratedEviction: true,
//maxUploadSize: 20 * 1024 * 1024,
//premiumUploadSize: 100 * 1024 * 1024,
filePath: './datastore/',
archivePath: './data/archive',
pinPath: './data/pins',
taskPath: './data/tasks',
blockPath: './block',
blobPath: './blob',
blobStagingPath: './data/blobstage',
decreePath: './data/decrees',
logPath: './data/logs',
logToStdout: true,
logLevel: 'verbose',
logFeedback: false,
verbose: true,
installMethod: 'docker',
};

123
kubernetes/app/cryptpad/cronjob-backup.yaml Normal file
View File

@@ -0,0 +1,123 @@
# Backs up user data (blob, datastore, data, block directories)
apiVersion: batch/v1
kind: CronJob
metadata:
name: cryptpad-data-backup
namespace: cryptpad
labels:
app: cryptpad-backup
spec:
schedule: "0 2 * * *"
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: 3
failedJobsHistoryLimit: 3
jobTemplate:
spec:
template:
metadata:
labels:
app: cryptpad-backup
spec:
restartPolicy: OnFailure
containers:
- name: resticprofile
image: creativeprojects/resticprofile:0.32.0
command:
- sh
- -c
- |
resticprofile -c /secrets/profiles.yaml -n cryptpad-data backup
resticprofile -c /secrets/profiles.yaml -n cryptpad-data copy
env:
- name: B2_ACCOUNT_ID
valueFrom:
secretKeyRef:
name: cryptpad-backup-config
key: B2_ACCOUNT_ID
- name: B2_ACCOUNT_KEY
valueFrom:
secretKeyRef:
name: cryptpad-backup-config
key: B2_ACCOUNT_KEY
volumeMounts:
- name: secrets
mountPath: /secrets
readOnly: true
- name: data
mountPath: /backup-data
readOnly: true
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
memory: 1Gi
volumes:
- name: secrets
secret:
secretName: cryptpad-backup-config
- name: data
persistentVolumeClaim:
claimName: cryptpad-data
---
# Backs up config and customization directories
apiVersion: batch/v1
kind: CronJob
metadata:
name: cryptpad-config-backup
namespace: cryptpad
labels:
app: cryptpad-backup
spec:
schedule: "0 3 * * *"
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: 3
failedJobsHistoryLimit: 3
jobTemplate:
spec:
template:
metadata:
labels:
app: cryptpad-backup
spec:
restartPolicy: OnFailure
containers:
- name: resticprofile
image: creativeprojects/resticprofile:0.32.0
command:
- sh
- -c
- |
resticprofile -c /secrets/profiles.yaml -n cryptpad-config backup
resticprofile -c /secrets/profiles.yaml -n cryptpad-config copy
env:
- name: B2_ACCOUNT_ID
valueFrom:
secretKeyRef:
name: cryptpad-backup-config
key: B2_ACCOUNT_ID
- name: B2_ACCOUNT_KEY
valueFrom:
secretKeyRef:
name: cryptpad-backup-config
key: B2_ACCOUNT_KEY
volumeMounts:
- name: secrets
mountPath: /secrets
readOnly: true
- name: config
mountPath: /backup-config
readOnly: true
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
memory: 512Mi
volumes:
- name: secrets
secret:
secretName: cryptpad-backup-config
- name: config
persistentVolumeClaim:
claimName: cryptpad-config

175
kubernetes/app/cryptpad/deployment.yaml Normal file
View File

@@ -0,0 +1,175 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: cryptpad
namespace: cryptpad
labels:
app: cryptpad
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: cryptpad
template:
metadata:
labels:
app: cryptpad
spec:
securityContext:
runAsUser: 4001
runAsGroup: 4001
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
initContainers:
# # Create required subdirectories on NFS volumes before subPath mounts are used
# - name: init-dirs
# image: busybox:1.36
# securityContext:
# runAsUser: 0
# runAsNonRoot: false
# command:
# - sh
# - -c
# - |
# mkdir -p /data/blob /data/datastore /data/data /data/block /data/onlyoffice
# mkdir -p /config/customize
# chown -R 4001:4001 /data /config
# volumeMounts:
# - name: data
# mountPath: /data
# - name: config
# mountPath: /config
# Clone the official CryptPad SSO plugin into an emptyDir shared with the main container
- name: install-sso-plugin
image: alpine/git:v2.47.2
securityContext:
runAsUser: 0
runAsNonRoot: false
command:
- sh
- -c
- |
git clone --depth=1 https://github.com/cryptpad/sso /plugin
chown -R 4001:4001 /plugin
volumeMounts:
- name: sso-plugin
mountPath: /plugin
containers:
- name: cryptpad
image: cryptpad/cryptpad:version-2026.2.0
ports:
- containerPort: 3000
name: http
protocol: TCP
- containerPort: 3003
name: api
protocol: TCP
env:
- name: CPAD_CONF
value: "/cryptpad/config/config.js"
- name: CPAD_MAIN_DOMAIN
value: "https://${CRYPTPAD_HOST}"
- name: CPAD_SANDBOX_DOMAIN
value: "https://${CRYPTPAD_SANDBOX_HOST}"
# Trust the Traefik pod CIDR so CryptPad sees real client IPs.
# Adjust if your pod CIDR is different.
- name: CPAD_TRUSTED_PROXY
value: "10.0.0.0/8"
- name: CPAD_REALIP_HEADER
value: "X-Forwarded-For"
- name: CPAD_REALIP_RECURSIVE
value: "on"
# Downloads and installs OnlyOffice frontend on first start (persisted via data PVC).
# First startup will be slower while OnlyOffice assets are fetched.
- name: CPAD_INSTALL_ONLYOFFICE
value: "yes"
volumeMounts:
# User data — split into subdirs on a single NFS PVC
- name: data
mountPath: /cryptpad/blob
subPath: blob
- name: data
mountPath: /cryptpad/datastore
subPath: datastore
- name: data
mountPath: /cryptpad/data
subPath: data
- name: data
mountPath: /cryptpad/block
subPath: block
# Customization (branding, themes) — persisted on NFS
- name: config
mountPath: /cryptpad/customize
subPath: customize
# OnlyOffice dist — local-path (not NFS): rdfind uses hard links which
# require a real filesystem, and scanning NFS for dedup is very slow
- name: onlyoffice
mountPath: /cryptpad/www/common/onlyoffice/dist
# SSO plugin — freshly cloned by init container on each pod start
- name: sso-plugin
mountPath: /cryptpad/lib/plugins/sso
# sso.js mounted directly from the secret — overlays the NFS config dir
# at this specific file path, no init container needed
- name: sso-secret
mountPath: /cryptpad/config/sso.js
subPath: sso.js
readOnly: true
- name: application-config
mountPath: /cryptpad/customize/application_config.js
subPath: application_config.js
readOnly: true
- name: application-config
mountPath: /cryptpad/config/config.js
subPath: config.js
readOnly: true
# npm run build runs on every start and can take several minutes.
# startupProbe absorbs that time; liveness/readiness take over once up.
startupProbe:
httpGet:
port: 3000
path: /
failureThreshold: 120
periodSeconds: 60
livenessProbe:
httpGet:
port: 3000
path: /
periodSeconds: 30
readinessProbe:
httpGet:
port: 3000
path: /
periodSeconds: 10
resources:
requests:
cpu: 100m
memory: 512Mi
limits:
memory: 2Gi
volumes:
- name: data
persistentVolumeClaim:
claimName: cryptpad-data
- name: config
persistentVolumeClaim:
claimName: cryptpad-config
- name: sso-plugin
emptyDir: {}
- name: onlyoffice
persistentVolumeClaim:
claimName: cryptpad-onlyoffice
- name: sso-secret
secret:
secretName: cryptpad-credentials
items:
- key: sso.js
path: sso.js
- name: application-config
configMap:
name: cryptpad-config

24
kubernetes/app/cryptpad/ingress-main.yaml Normal file
View File

@@ -0,0 +1,24 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: cryptpad
namespace: cryptpad
annotations:
cert-manager.io/cluster-issuer: letsencrypt
# No Traefik auth middleware — authentication is handled natively via the OIDC SSO plugin
spec:
tls:
- hosts:
- ${CRYPTPAD_HOST}
secretName: cryptpad-tls
rules:
- host: ${CRYPTPAD_HOST}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: cryptpad
port:
number: 3000

26
kubernetes/app/cryptpad/ingress-sandbox.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: cryptpad-sandbox
namespace: cryptpad
annotations:
cert-manager.io/cluster-issuer: letsencrypt
# The sandbox domain is required by CryptPad for CSP isolation of embedded content.
# It must be a different origin from the main domain but points to the same backend.
# No auth middleware — this domain serves sandboxed iframes with restrictive CSP headers.
spec:
tls:
- hosts:
- ${CRYPTPAD_SANDBOX_HOST}
secretName: cryptpad-sandbox-tls
rules:
- host: ${CRYPTPAD_SANDBOX_HOST}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: cryptpad
port:
number: 3000

4
kubernetes/app/cryptpad/namespace.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: cryptpad

56
kubernetes/app/cryptpad/networkpolicy.yaml Normal file
View File

@@ -0,0 +1,56 @@
# Default deny all ingress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
namespace: cryptpad
spec:
podSelector: {}
policyTypes:
- Ingress
---
# Allow Traefik to reach the CryptPad pod (both HTTP and API/WebSocket ports)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress-controller
namespace: cryptpad
spec:
podSelector:
matchLabels:
app: cryptpad
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: traefik
ports:
- port: 3000
- port: 3003
---
# Allow backup pods egress to Synology (restic rest-server), B2, and DNS
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-backup-egress
namespace: cryptpad
spec:
podSelector:
matchLabels:
app: cryptpad-backup
policyTypes:
- Egress
egress:
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
- ports:
- port: 8000
protocol: TCP
- ports:
- port: 443
protocol: TCP

32
kubernetes/app/cryptpad/pv-config.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: cryptpad-config-nfs
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteOnce
storageClassName: ""
persistentVolumeReclaimPolicy: Retain
mountOptions:
- hard
- timeo=30
- retrans=3
nfs:
server: synology.storage.lviv
path: ${CRYPTPAD_CONFIG_NFS_PATH}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: cryptpad-config
namespace: cryptpad
spec:
accessModes:
- ReadWriteOnce
storageClassName: ""
volumeName: cryptpad-config-nfs
resources:
requests:
storage: 10Gi

32
kubernetes/app/cryptpad/pv-data.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: cryptpad-data-nfs
spec:
capacity:
storage: 100Gi
accessModes:
- ReadWriteOnce
storageClassName: ""
persistentVolumeReclaimPolicy: Retain
mountOptions:
- hard
- timeo=30
- retrans=3
nfs:
server: synology.storage.lviv
path: ${CRYPTPAD_DATA_NFS_PATH}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: cryptpad-data
namespace: cryptpad
spec:
accessModes:
- ReadWriteOnce
storageClassName: ""
volumeName: cryptpad-data-nfs
resources:
requests:
storage: 100Gi

12
kubernetes/app/cryptpad/pvc-onlyoffice.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: cryptpad-onlyoffice
namespace: cryptpad
spec:
accessModes:
- ReadWriteOnce
storageClassName: local-path
resources:
requests:
storage: 5Gi

26
kubernetes/app/cryptpad/secret-backup.sops.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: v1
kind: Secret
metadata:
name: cryptpad-backup-config
namespace: cryptpad
stringData:
profiles.yaml: ENC[AES256_GCM,data:8t3Vx7GUX059eX6nxypFx/VacLL+hMy+muF3cybpSMNt5cQXONoUrFQnjW1VkWRgk/n/fqVa80HmT3g1JCeUBwNVDsM9DfH0VCiJxoMYrpDmYObkt82RUMnojhG6afPVPEduvaccOAjyslGnZAMAuQT+DIO/C8wayYDQJcIXJZeHorRJR/4P358EWw7h/p6ylNXGWPiI7IsIn0zsaePD3mshoA4ix+pUbBztTSk3Ij7iiGqltYIZkq8QYkOy4oiAmFTLxIlZfEfrMXrkOaHuvkGd1uftX3VfzJAaLmbGP5sEdkAPawYmGWLnU+ObFSL31zkbTCKhNtEwzQbDmw5RC4srVMj6UttDDs7LBzGZh/HUuXoKb+DIBlYV9siGwZH3bLrg7XoXVi2BimKPAQELlAtOfvOe7NZ8cBE34cCvd3MiZqN37uZYdx2sRHFPJp6PyWbglG2TIqj/J1lPKdZOMG7NpEvc2WXi8ltWjtNmDNjoLsaUh5+e3TqLIYkdd4BxwN0sEJFU/apyyGcS5/2TED0ZgBPINvdCVApTagNwIWjmi11VH2r5hxkb2OnZkwRjsyujmSexaFdS7jjBDXZNg6x1Q4vgBb70iCfTPqAGQyFkTpf3+AKopuPgto9LLztmmC7e4Q08D1ncDGatGRrgIXDhhhhFnbTKdle53gQKLWi8THxIF1/nlvu07zn+HYP5sWG38No2kpMJwCXeUoqXwHhcgVRlAyPka6ip+zWOyg/qdcJU4k4sCW4+DkrdwUHOCiT/0wYRMdeoDRJDLVS/5OESl3HboIQSTxDhgUid0iGH3zr35zwa3DR4mMXYPkh+Nodsp0oh5aG0lIDGrz+6lOVznYUTate1CVm3HN2zQPRyuTPMxILsEVC44qQ3KyR55VgZhwER2418wg68VFQA1uT8HTPEVZFPRgxdK4amIHr7cnC2B67/X0oeHJNbDEc0EAkEx8v08HklJQELNMNInRySW1UnBQOIWo3rl0PsZgyecWnK9vdwPjfEyzr8DVlfm7rGMNTWc7iIPwYom9jLHh4IgOU5TEVatwkd+zMS8ZeHPeFEdL/bf0YbdBqir8+X9ERSkG41OQGYL5Rhx3XM6oExfA4hGGqAEXfGTCAqIljkyKzo7280sIdkDvEBq+FMnCJ+APCSoPqNQUqZpEmWG/XP+Q+bgo5Pb32vlxL8dwcVmuiuu0cndW7gzA6YgfCRfTmGTNjW43J/h5ODBa8Vhu2WNiRMwCzH72ExOvwgKEBeP1LPHVcMLT0f/CMItcpzkuGwzlitZMAm2nmCdSB71hdtsKD6x5hIzhsDCAzZz6VCUF+NAgjOyks3urlDiBhyMnzetXnDgtLB1kL8qwIHOvWQoF5S50KrCbHTNJUhBWBJzRom7oZJOdyHwo7MmSMvRWTY5xA09umSia6/qyDlGeCHDYx/C8i3/WGUGsVKB2EzsfY=,iv:z79twnVkLyonYaOgz2f4ZW7noMlDxZgDRqYySBj+Mlk=,tag:2W0mtSBGiqgWPKDyZrKYRg==,type:str]
restic-password-nas: ENC[AES256_GCM,data:0g81dj/gNwnBPkbVXR1o5mZ4axAhnL7YwSNcnE2fI1DWly4cO3kNyxta5OdgTAGZwNeiT+qaOFi6HXHn9fSHlQ==,iv:OZEza2gkiygZ1KzvD3MJZ/JXIrfbcZenKcOJfMlEjvM=,tag:rnJ8sFQgzD6g3pEHRQLg3A==,type:str]
restic-password-b2: ENC[AES256_GCM,data:sazn2f09uZsFU1/MY30iPj0gx9pSFvcy/JgHsXTLMFbq5OimAfHsiYR1nMf2mQ8GwqMtQTF4t0lkfDnmy/8Qyg==,iv:HOI8oohNCCtP/heNBCQ5HEKfRVdMalv3MU/puRkOQ4A=,tag:aLKeUbwED2TjeAfkydj+MQ==,type:str]
B2_ACCOUNT_ID: ENC[AES256_GCM,data:Jh4gWGGt5wVaVAMG5oWFXW7W0Taq9Qiyhw==,iv:XZtsiYUtFtSDhgLpG3uNIGLHWqGmCM3zHq2RUu6tdXM=,tag:KQfrBmkAYadVvhtgAzDNzw==,type:str]
B2_ACCOUNT_KEY: ENC[AES256_GCM,data:XI+P//Ti512rQfDgmV00Bq3Wxly6//ESBKsDItXdug==,iv:/xAPGSJIathFIwyWUQoBW2DwYBpHnJCElnRMe16Pf9s=,tag:xSh2kFbQnw+bpAbbQ3rHWQ==,type:str]
sops:
age:
- recipient: age1zffnskvuezntkk703a0pyxsd5m8vx2hm33dr47wdfy8mn4fdw4sqgw0jgc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlVGM3NlRSenp4d05sTEdY
c0JkdW5Xd2RQU3I4SlVTczVRWnVaRUY5RHdnClM1QVlGR3lRWGZCVXR0RjR1Kzlh
ck4vLzNpeThIdmV4citIaFlVWnpFWXMKLS0tIHV2aWtSVTRxMzUrbldwQVRLRHE5
ajAzS2pINWIvQTc0T0FhMit6ZHNVRlkKW6hYD2mjAtZRyC8/fbSWiij1/clTB4br
sAmsCMBIDQf+r12TuzzpLiMnNOIU349GcYxuA24GWaEanordqCLz3A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-13T12:31:48Z"
mac: ENC[AES256_GCM,data:O+jD7jCBoQYNrRr+j/yn4YkGLaggHee8YVmvE5I5QXOB5pfPg09yQbuYj2IhKPBbVXl24ejlNDEAG3/qDaWgg1IlB+dKeTyrqxWq+mQ7vM9bgNRhf4ozS1lL3NR23V6JhilrosxTlFYCajerxdUbCh0vBXqsdJ0cIV8yggtQ7eY=,iv:gJkOvEFY4L/7qE3zMYnnon8XcGUegmcWKvKQ+/rxBVo=,tag:xQ1Qo7SgOs3N8451xX7Yxg==,type:str]
encrypted_regex: ^(data|stringData|email)$
version: 3.12.1

25
kubernetes/app/cryptpad/secret.sops.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: v1
kind: Secret
metadata:
name: cryptpad-credentials
namespace: cryptpad
stringData:
#ENC[AES256_GCM,data:s4VxDsDqwHw6ZhFNzA/mS+gdPwZlV5AcBDRUqfHTKSzjQPVg7unz7HkyfXtSBt36aH3P7fR9lUF1XtNvH9fF+6EfCa1dzIToSEw=,iv:TuYHrkjDFkA7fHhWzaHGrptyP5ClwiMArjoTf5LHXrQ=,tag:gvZxTmeeCEDTISgIpKxhhA==,type:comment]
#ENC[AES256_GCM,data:CXpQCo8r5GCE6lIpXpXlab0CEdMCuNC54Ynh4ahfE1fv2c49wNoiQNRQAjONbmhUoUIiUcCehNmuw/ZK5Fd3rvVUhXdUAKYo,iv:U6vrAHUz22QWSLxBYRFea+LXajuHIh8NlggB6DAoCjc=,tag:nnV8RMrNv+trUQgXpCvkJA==,type:comment]
#ENC[AES256_GCM,data:7TBFv3i2TzlyAcVhAdFE6T2F0E8pdAbYZorT6/brY8Ed+g6LvnwdVaYPcpJ7P6ETWXraqbhoktWICYklr35PAg==,iv:xsPinB1/gkzMHyzsrJ2gj8Fm0PWaIQbtBIB7fT1BTzI=,tag:O9dv+myneU7neE7JiRGuBQ==,type:comment]
sso.js: ENC[AES256_GCM,data:u1XHMXQKf6QtqqjzNx8LZIEZxKSWhVFZbgvKBqsGoKo7kve0nZynH/bYohVO3XDBtahBqDCgeAD/rj5OE2MlEhwF0OTfylpPmlDjD3tuwogMv2NSDwERzzGv2BvMY97kIRwbGP3OtHGEEGO32JmNKWInZH7BrazeX5gvNLKjHk8XtCN8jKxoJwGEYw7EM8s219iFyQISKjo9/yElv4JVlecIa1bcbzswRsgWqzjG3kBJ2HLRcnH4Nr8D8VCDEdO32GHS0Y9Z7b3eaaj0YQyWleyAfqlufktMcr+SFDSQy4sPnzFuydi7kPXRb6OVDZLaKMVA4422VEEsuAOcz5CUZIJAg5KhPz9lZsruRw3hZBTjhRE2G05TwsvJNwY005rVe2pHL/Q3OZRKNZIfXK34lOwnBQMnBPJvtogIT+hZUBBAyz82nuR8KuujsGLo4sJPC/Vuayg9CrwxbQRx7fit5sdu5djwvVleBKyayhbBaP23BZToB9znSNm5HCOpohpAg4OYXazRpLBGH6lHla1tZy7MpfnoltEOHjeBQoqpez3zBQ9zNichIuPVnIK0h1dqAjLlZc5n7d9L6AHDrzSRq40iOnuc4ZuATMXtmd1JynSrjCH4FYKtROV9V3JXUCK9GwnZ04D26rbwxCKKykHkABF4AFDvv4ZeJPvN+Ag6R8TuSG74qzRUjvBP1+2uR/y9IsN5dGviYKzGnVFvkD87RrF3nZQc40+C4CfAuP9xTLJPzZ0b1t6Qr3Q52LipSyOt/I04ULToOU4U7heEkpbZxJAWiAlgLskjy9TfL/OY1uyZT9ZanWAhRVBa0dk2h8I5p9a01XtR8X3sIqg41i1K3VqEcKGk7IQMf+WmiUdLef7qx6Gq3+Di067NJ7fKKNAN3IFGE/LBlBVaj1fQNOaCfjSJ/A==,iv:FSSJUe6ymLHIM5CQLVgemHX71Z7Bz609WsNkOs9QM1E=,tag:Wxdnfa6WXyXVxI3VjU6dMA==,type:str]
sops:
age:
- recipient: age1zffnskvuezntkk703a0pyxsd5m8vx2hm33dr47wdfy8mn4fdw4sqgw0jgc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5Vm8xRmZ0WDJRMmNPVUxq
T3VQSUVUYnVER0FFVW5FYWFHaUV3S2daWFJvCmxLdWpLVHpnMWNQaTlDZ0VOZ0JL
K044cmpRZm50SmZNNWZlWjBDS1hGS2cKLS0tIGRxMnZTTWRRMlg5eVBOb3pVYUlK
clRoWlp2SjQrOGFjQW92VnQ4amxUMXMKMjcBWo44X+Y2kmwpKZcBsBZZkWQJZEOf
VscZUj8VAZKF9IxOmbBaFc2EBi5xI7sYJSJ+gaLHHKLhcSNu59P+kQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-13T19:48:58Z"
mac: ENC[AES256_GCM,data:0mpN6sWiCHp3zVIKIdIEAnBEcczPb1YVfj4fae50JnJ4jF9ZZ6Wz4sQny00LKN59NFFHHM5bOa+ibqEXZ3pgtF0WQmmc5Sfn5w6n66L4mSJ0Pjx4akMJYjt5xMkRuLG996yZXg7pvSd3YrMgJEqf0hiexN+KJMLDqUwDIYpUHpc=,iv:BMIyWxc0k8SZTxS9/F3Vxfa4HY/WordDRQTfJmZZSI0=,tag:FpPT98LvKY2HgeBfZOw5TQ==,type:str]
encrypted_regex: ^(data|stringData|email)$
version: 3.12.1

17
kubernetes/app/cryptpad/service.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: v1
kind: Service
metadata:
name: cryptpad
namespace: cryptpad
spec:
selector:
app: cryptpad
# Session affinity ensures WebSocket connections always reach the same pod
sessionAffinity: ClientIP
ports:
- port: 3000
targetPort: 3000
name: http
- port: 3003
targetPort: 3003
name: api